Adding the Code-Signing Capability to Your InstallAnywhere Build Machines or Code-Signing Machines

InstallAnywhere 2024 R2

The following instructions explain how to prepare your InstallAnywhere build machine or your code-signing machine so that you can code sign your OS or OS X–based installers and include authentication support. The process involves adding your Developer ID Application certificate to the Keychain Access utility on all of your machines that you will be using for code signing. The process also involves creating a code-signed helper tool that you also add to all of your code-signing machines.

Note:If you want to prepare your InstallAnywhere build machine or your code-signing machine for code signing your installers, but you do not need to be able to include authentication support in your installers, perform step 1 only. It is not necessary to generate a code-signed helper tool on your code-signing machines unless you plan to support authentication.

To add the code-signing capability to your machines:

Set up the Keychain Access utility on all of your machines that you will be using for code signing (either InstallAnywhere build machines or separate designated signing machines):

Add your Developer ID Application certificate to the login keychain. For information on adding a certificate to a keychain, see Adding certificates to a keychain in the Developer Library.

If you plan on performing builds through the command-line console: Ensure that the certificate has been granted access to be used by all applications.

In Keychain Access, right-click the certificate and then click Get Info.

ii.

On the Access Control tab, click the Allow all applications to access this item option.

Ensure that the latest Xcode IDE and all of its default SDKs are installed.

If you are using your InstallAnywhere build machine to code sign, perform the following step in InstallAnywhere to generate a code-signed helper tool: On the File menu, click Prepare Helper Tool. The Prepare the Helper Tool dialog box opens. Use this dialog box to specify code-signing information and code sign the helper tool. To learn more, see Prepare the Helper Tool Dialog Box.

If you are using a separate designated signing machine, perform the following steps to generate a code-signed helper tool:

Copy the ht-signer folder in the IA_INSTALL_DIR/resource/nativetools/osx folder to the designated signing machine.

In the ht-signer folder that you copied to the designated signing machine, find the build-helper-tool.sh file, open it in an editor, and customize the following entries:

•

CERTIFICATE_ID—Specify the common name of the certificate. This name is displayed in Keychain Access (see screen shot below). The common name must use syntax such as this:

"Developer ID Application: AAA Software LLC"

•

CERTIFICATE_DEV_ID—Specify the user ID of the certificate. This ID is displayed in Keychain Access.

User ID and Common Name in Keychain Access

•

OUTPUT_DIR—Specify the output directory where the helper tool will be copied.

•

SDK_PATH—Specify the OS or OS X SDK directory. If the OS or OS X SDK is available in the default path, you can leave this blank. If you are logged in on an OS X 10.9–based machine, SDK 10.9 is the default SDK. If you want to specify a separate SDK, or if the SDK is not installed, provide the absolute path of the SDK. For example:

SDK_PATH="/Applications/Xcode.app/Contents/Developer/Platforms/OSX.platform/Developer/SDKs/OSX10.9.sdk"

Change the current directory to the ht-signer directory, and execute the revised build-helper-tool.sh script in that directory. The signed helper tool—called com.flexera.ia.helper—is created in the output directory that you specified for OUTPUT_DIR.

Verify that the helper tool was successfully signed. To learn how, see Verifying that Your Code-Signing Output Files Are Working as Expected on OS or OS X–Based Target Systems.

Make the verified, signed helper tool available to all of your InstallAnywhere build machines: Copy the com.flexera.ia.helper tool to the IA_INSTALL_DIR/resource/nativetools/osx folder on each InstallAnywhere build machine.

Your machines are now ready to code sign your installers. The next time that you build an installer that includes authentication support, InstallAnywhere includes your signed helper tool with your installer.

If you install a new version of InstallAnywhere, or if you are replacing a Developer ID Application certificate with a new one, the aforementioned process needs to be repeated.